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1  Introduction 


Following  the  ground-breaking  work  on  public-key  encryption  in  the  70’s,  the  field  of  Cryptog¬ 
raphy  has  evolved  far  beyond  securing  message  transmission.  Today,  cryptographic  protocols 
are  used  in  large-scale  systems  to  guarantee  not  only  confidentiality  and  authenticity  but  also 
attack-  and  fault-tolerance. 

For  instance,  the  notion  of  a  secure  computation,  introduced  by  Yao  and  Goldreich,  Micali  and 
Wigderson  in  the  early  80’s,  enables  a  set  of  parties  to,  through  the  execution  of  a  distributed 
communication  protocol,  securely  implement  any  service  that  a  trusted  party  could  perform 
for  them.  More  precisely,  a  secure  computation  protocol  allows  n  mutually  distrustful  parties, 
each  with  their  individual  private  input,  to  evaluate  any  (efficiently  computable)  function  of 
their  respective  inputs,  while  maintaining  the  same  security  as  if  a  trusted  third  party  had 
performed  the  computation.  Security  here  means  that,  even  if  an  arbitrary  subset  of  the  parties 
get  corrupted  and  deviate  from  their  prescribed  instructions,  both  correctness  and  confidentiality 
is  still  maintained. 

Another  central  notion  is  that  of  a  zero-knowledge  proofs.  Zero-knowledge  proofs  (introduced 
Goldwasser,  Micali  and  Rackoff)  are  protocols  that  enable  one  party — called  the  prover — to 
convince  another  party — called  the  verifier — about  the  validity  of  some  mathematical  statement 
without  revealing  anything  else  about  the  content  of  the  statement.  Zero- knowledge  protocols 
are  often  used  as  authentication  protocols:  I  can  convince  you  that  I  know  the  secret  key 
associated  with  a  particular  public  key  but  without  actually  revealing  the  secret  key. 

This  novel  use  of  cryptography,  however,  also  admits  new  types  of  attacks,  which  require  studying 
new  models  of  security.  During  the  reporting  period,  we  have  focused  on  two  major  directions 
within  this  topic;  security  under  concurrent  executions,  and  security  under  tampering  attacks. 

Below  we  discuss  some  of  our  major  acheivments  on  these  topics.  Our  research  has  been  pub¬ 
lished  in  the  most  prestigious  Gomputer  Science  Theory  conferences  (STOG,  FOGS,  ITGS),  and 
the  most  prestigious  Gryptography  conferences  (GRYPTO,  EuroGrypt,  TGG);  5  of  these  papers 
were  selected  for  special  issues  on  best  papers. 


2  Concurrent  Security 


The  security  of  most  cryptographic  protocols  (and,  in  particular,  those  for  secure  computation) 
can  be  compromised  if  many  instances  of  the  protocol  are  concurrently  executed.  This  concurrent 
setting  allows  a  coordinated  attack  in  which  an  adversary  controls  many  parties,  interleaving 
the  executions  of  the  various  protocol  instances.  For  instance,  a  so  called  man-in-the-middle 
attacker  participating  in  two  simultaneous  executions  of  a  cryptographic  protocol  might  use 
messages  from  one  of  the  executions  in  order  to  violate  the  security  of  the  second. 
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Consider  a  two-party  protocol  between  A  acting  as  an  initiator,  and  B  acting  as  a  responder. 
A  man-in-the-middle  adversary  M  controlling  the  channel  between  A  and  B  can  participate  in 
an  interaction  with  A,  acting  as  a  responder,  and  at  the  same  time  participate  in  an  interaction 
with  B,  acting  as  an  initiator.  Furthermore,  by  exploiting  the  interaction  with  A,  M  might 
be  able  to  violate  the  security  of  the  interaction  with  B.  At  a  first  glance,  it  seems  that  such 
an  attack  can  be  prevented  by  encrypting  all  communication  between  A  and  B.  This  does  not 
work:  If  M  is  acting  as  truthful  responder  in  its  interaction  with  A,  then  A  will  believe  that 
M  is  the  rightful  owner  of  the  messages  she  sends,  and  thus  encrypt  all  her  messages  using  M’s 
key.  The  same  holds  for  B.  Indeed  Lowe’s  famous  attack  on  the  Needham-Schroeder  protocol 
works  this  way. 

On  the  Internet  concurrent  attacks  are  unavoidable.  While  both  the  need  and  definitions  were 
articulated  in  the  early  90’s,  constructions  of  concurrently  secure  protocols  were  lacking. 

During  the  reporting  period,  we  have  developed  several  novel  techniques  for  dealing  with  con¬ 
current  attacks,  leading  to  the  resolution  of  several  decade-old  open  problems: 

•  We  obtained  the  first  eonstant-round  construction  for  defending  against  man-in-the-middle 
attacks  based  the  minimal  assumption  of  one-way  functions;  this  had  remained  a  major 
open  problem  for  over  20  years.  Our  paper  was  just  accepted  for  publication  in  the  Journal 
of  the  ACM  (the  most  prestigous  journal  in  Computer  Science). 

•  We  obtained  the  first  constant-round  secure  computation  protocols  based  on  minimal 
hardness  assumptions,  resolving  a  central  problem  open  since  the  conception  of  secure 
multi-party  computation  in  1987. 

•  We  constructed  the  first  secure  computation  protocols  that  require  no  trusted  infrastruc¬ 
ture  other  than  authenticated  communication,  and  that  satisfy  a  meaningful  notion  of 
security  that  is  preserved  under  concurrent  executions  assuming  standard  cryptographic 
hardness  assumptions. 

•  We  demonstrated  the  first  construction  of  concurrently  secure  protocols  that  only  use 
underlying  cryptographic  primitives  as  a  black-box,  demonstrating  that  practical  solution 
may  be  within  reach. 

•  We  demonstrated  the  first  constant-round  concurrently  secure  protocol  for  the  specific 
class  of  zero-knowledge  protocols,  based  on  reasonable  hardness  assumptions.  This  had 
remained  an  open  problem  since  the  original  work  by  Dwork,  Naor  and  Sahai  from  1999. 


3  Security  in  the  Presence  of  Physical  Attacks 


The  traditional  definition  of  security  assumes  that  honest  players  internal  states  are  completely 
hidden  from  the  attacker,  and  the  only  way  for  the  attacker  to  learn  something  about,  or  affect. 
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the  internal  state  is  by  proving  inputs  and  receiving  outputs  from  honest  parties.  This  is  an 
unrealistic  assumption  that  has  been  proven  wrong  in  many  setting. 

During  this  reporting  period,  we  have  focused  on  analyzing  the  security  of  cryptographic  proto¬ 
cols  in  the  presence  of  stronger  attacker  that  may  access  honest  parties  in  more  realistic  ways.  In 
particular,  we  have  considered  security  in  the  context  of  tampering  attackers,  that  may  tamper 
with  the  internal  state  of  honest  parties. 


•  Resettable  security:  A  very  natural  type  of  tamperings  considers  security  of  primitives  in 
the  presence  of  an  attackers  that  may  “reset”  and  “restart”  an  honest  party,  forcing  them 
to  return  to  an  earlier  state  of  the  computation,  and  reusing  the  same  random  tape.  This 
model  is  particularly  relevant  for  cryptographic  protocols  being  executed  on  embedded 
devices,  such  as  smart  cards.  Since  these  devices  have  neither  a  built-in  power  supply, 
nor  a  non-volatile  re-writable  memory,  they  can  be  “reset”  by  simply  disconnecting  and 
reconnecting  the  power  supply.)  This  notion  of  security  is  referred  to  as  resettable  security 
and  its  study  was  initiated  in  2000.  While  constructions  of  resettable-secure  protocols 
have  been  extensively  since  their  conception,  all  these  constructions  relied  on  stronger 
than  typical  cryptographic  hardness  assumptions.  In  a  sequence  of  works  appearing  in 
STOC  2013,  FOGS  2013  (2  on  this  topic),  and  TCC  2014,  we  resolved  some  of  central 
outstanding  open  questions  in  this  field — namely,  we  showed  construction  under  minimal 
hardness  assumptions,  and  using  a  minimal  number  of  communication  rounds. 

•  Tamper-resilient  Security:  We  initiate  a  study  of  the  security  of  cryptographic  primitives 
in  the  presence  of  efficient  tampering  attacks  to  the  randomness  of  honest  parties.  More 
precisely,  we  consider  p-tampering  attackers  that  may  tamper  with  each  bit  of  the  honest 
parties’  random  tape  with  probability  p,  but  have  to  do  so  in  an  ’’online”  fashion.  We 
present  both  positive  and  negative  results: 

—  Any  secure  encryption  scheme,  bit  commitment  scheme,  or  zero-knowledge  protocol 
(these  are  some  of  the  most  important  cryptographic  building  blocks)  can  be  broken 
with  probability  p  by  a  p-tampering  attacker.  The  core  of  this  result  is  a  new  Fourier 
analytic  technique  for  biasing  the  output  of  bounded-value  functions,  which  may  be 
of  independent  interest. 

—  Assuming  the  existence  of  one-way  functions,  cryptographic  primitives  such  as  sig¬ 
natures,  identification  protocols  can  be  made  resilient  to  p-tampering  attacks  for  any 
p  =  l/n“,  where  a  >  0  and  n  is  the  security  parameter. 


4  Other  Significant  Results 


Limits  of  Provable  Security  Modern  Cryptography  relies  on  the  principle  that  crypto¬ 
graphic  schemes  are  proven  secure  based  on  mathematically  precise  assumptions;  these  can  be 
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general — such  as  the  existence  of  one-way  functions — or  specific — such  as  the  hardness  of  fac¬ 
toring  products  of  large  primes.  The  security  proof  is  a  reduction  that  transforms  any  attacker 
A  of  the  scheme  into  a  machine  that  breaks  the  underlying  assumption  (e.g.,  inverts  an  al¬ 
leged  one-way  function).  During  the  past  four  decades,  many  cryptographic  tasks  have  been 
based  on  a  number  of  well-studied  complexity-theoretic  intractability  assumptions.  But  there 
are  some  well-known  protocols  and  primitives  (e.g.,  Schnorrs  identification  scheme,  commitment 
schemes  secure  against  selective  openings,  Chaum  Blind  Signatures,  etc.)  that  have  resisted 
security  reductions  under  well-studied  intractability  assumptions.  What  makes  these  protocols 
and  primitives  intriguing  is  that  no  attacks  on  them  are  known  (and  some  of  them  are  actually 
in  use  on  the  Internet).  In  a  work  from  STOC’ll,  I  demonstrate  that  for  many  of  these  primi¬ 
tives/protocols  (and  in  particular,  the  above-mentioned  ones),  if  their  security  can  be  based  on 
any  standard  assumption  using  a  Turing  security  reduction,  then  the  assumption  can  be  broken 
in  polynomial  time.  In  a  line  of  subsequent  works,  we  have  extended  this  framework  to  deal 
with  more  primitives  and  stronger  proof  techniques. 


Techniques  for  Program  Obfuscation  The  goal  of  program  obfuscation  is  to  ’’scramble” 
a  computer  program,  hiding  its  implementation  details  while  preserving  functionality.  Unfortu¬ 
nately,  the  ’’dream”  notion  of  security,  guaranteeing  that  obfuscated  code  does  not  reveal  any 
information  beyond  black-box  access  to  the  original  program,  has  run  into  strong  impossibil¬ 
ity  results,  and  is  known  to  be  unachievable  for  general  programs  Recently,  the  first  plausible 
candidate  for  general-purpose  obfuscation  was  presented  by  Garg  et  al  for  a  relaxed  notion 
of  security,  referred  to  as  indistinguishability  obfuscation  (iO).  During  the  past  year,  we  have 
been  been  working  on  developing  a  sound  foundation  for  program  obfuscation.  (This  general 
topic  will  be  further  explored  in  our  follow-up  grant  “Foundations  and  Applications  of  Program 
Obfuscation”.) 

In  a  recent  work  appearing  in  CRYPT0’14  we  presented  a  new  hardness  assumption — the  ex¬ 
istence  of  “semantically  secure  multilinear  encodings” — which  generalizes  a  multilinear  DDH 
assumption  and  demonstrate  the  existence  of  indistinguishability  obfuscation  for  all  polynomial- 
size  circuits  under  this  assumption  (and  the  most  standard  “LWE  assumption”).  This  work  is 
the  first  to  demonstrate  that  security  reductions  can  be  used  to  reduce  obfuscation  to  some 
general  intractability  assumption  (rather  than  just  assuming  that  the  construction  is  secure). 
(After  our  work,  several  other  assumptions  have  been  introduced  by  the  research  community.) 


5  Publications  During  Reporting  Period 

1.  Huijia  Lin,  Rafael  Pass:  Constant- Round  Nonmalleable  Commitments  from  Any  One-Way 
Function.  J.  ACM  62(1):  5:1-5:30  (2015) 

2.  Joseph  Y.  Halpern,  Rafael  Pass:  Algorithmic  rationality:  Game  theory  with  costly  com¬ 
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•  5  paper  have  been  selected  to  special  issues  for  best  papers  from  conferences: 

—  P.  Austrin,  K.  Chung,  M.  Mahmoody,  R.  Pass,  K.  Seth.  On  the  impossibility  of 
Crypptography  with  Tamperable  Randomness.  Invited  to  Algorithmica  special  issue 
on  best  papers  from  CRYPTO T4. 

—  Rafael  Pass,  Huijia  Lin,  Muthuramakrishnan  Venkitasubramaniam:  A  Unified  Frame¬ 
work  for  UC  from  Only  OT.  Invited  to  Journal  of  Cryptology  special  issue  on  best 
paper  from  ASIACRYPT  2012. 

—  K.  Chung,  R.  Pass,  K.  Seth.  Non-black-box  simulation  from  one-way  functions  and 
applications  to  resettable  security.  Invited  to  SIAM  Journal  of  Computing  special 
issue  on  selected  papers  of  STOC  2012. 

—  R.  Pass.  Unprovable  Security  of  Perfect  NIZK  and  Non-interactive  N on-malleable 
Commitments.  Invited  to  Computational  Complexity  special  issue  for  the  ten  year 
anniversary  of  TCC.  Invited  to  Journal  of  Cryptology  special  issue  on  best  papers 
from  TCC  2013. 

—  R.  Canetti,  H.  Lin  and  R.  Pass.  Adaptive  Hardness  and  Composable  Security  from 
Standard  Assumptions.  Invited  to  SIAM  Journal  of  Computing  special  issue  on  se¬ 
lected  papers  of  FOCS  2010. 
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